Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12/08/2024, 01:21
Static task
static1
Behavioral task
behavioral1
Sample
daa3f3ff735da217e65b4b372abea33a2c11796a4432b67852957fd9dfdb35ad.msi
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
daa3f3ff735da217e65b4b372abea33a2c11796a4432b67852957fd9dfdb35ad.msi
Resource
win10v2004-20240802-en
General
-
Target
daa3f3ff735da217e65b4b372abea33a2c11796a4432b67852957fd9dfdb35ad.msi
-
Size
4.6MB
-
MD5
b579209ffd24ed37bc4c4aa95dbd027e
-
SHA1
cc5643c0dca29e91c8f7fcbd1e2784601c06caea
-
SHA256
daa3f3ff735da217e65b4b372abea33a2c11796a4432b67852957fd9dfdb35ad
-
SHA512
d052a5fccb4e630e2d444aa74fbc7722e2bf553f1bff0f7f98078a9b9e0c5cd862006d36213ebecb7dc2834c3fd4a4af89af6d061df632894a948b912e429db1
-
SSDEEP
98304:xEqANPKab52vFRkfwWc+u6M7ucTRDLKu7t58MUYrrpuP9tCFB7FS:WPKpkfwWlu66PRDLb58MnrrOt
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 2072 msiexec.exe 5 2072 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Loads dropped DLL 2 IoCs
pid Process 5100 MsiExec.exe 5100 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2072 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2072 msiexec.exe Token: SeIncreaseQuotaPrivilege 2072 msiexec.exe Token: SeSecurityPrivilege 3216 msiexec.exe Token: SeCreateTokenPrivilege 2072 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2072 msiexec.exe Token: SeLockMemoryPrivilege 2072 msiexec.exe Token: SeIncreaseQuotaPrivilege 2072 msiexec.exe Token: SeMachineAccountPrivilege 2072 msiexec.exe Token: SeTcbPrivilege 2072 msiexec.exe Token: SeSecurityPrivilege 2072 msiexec.exe Token: SeTakeOwnershipPrivilege 2072 msiexec.exe Token: SeLoadDriverPrivilege 2072 msiexec.exe Token: SeSystemProfilePrivilege 2072 msiexec.exe Token: SeSystemtimePrivilege 2072 msiexec.exe Token: SeProfSingleProcessPrivilege 2072 msiexec.exe Token: SeIncBasePriorityPrivilege 2072 msiexec.exe Token: SeCreatePagefilePrivilege 2072 msiexec.exe Token: SeCreatePermanentPrivilege 2072 msiexec.exe Token: SeBackupPrivilege 2072 msiexec.exe Token: SeRestorePrivilege 2072 msiexec.exe Token: SeShutdownPrivilege 2072 msiexec.exe Token: SeDebugPrivilege 2072 msiexec.exe Token: SeAuditPrivilege 2072 msiexec.exe Token: SeSystemEnvironmentPrivilege 2072 msiexec.exe Token: SeChangeNotifyPrivilege 2072 msiexec.exe Token: SeRemoteShutdownPrivilege 2072 msiexec.exe Token: SeUndockPrivilege 2072 msiexec.exe Token: SeSyncAgentPrivilege 2072 msiexec.exe Token: SeEnableDelegationPrivilege 2072 msiexec.exe Token: SeManageVolumePrivilege 2072 msiexec.exe Token: SeImpersonatePrivilege 2072 msiexec.exe Token: SeCreateGlobalPrivilege 2072 msiexec.exe Token: SeCreateTokenPrivilege 2072 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2072 msiexec.exe Token: SeLockMemoryPrivilege 2072 msiexec.exe Token: SeIncreaseQuotaPrivilege 2072 msiexec.exe Token: SeMachineAccountPrivilege 2072 msiexec.exe Token: SeTcbPrivilege 2072 msiexec.exe Token: SeSecurityPrivilege 2072 msiexec.exe Token: SeTakeOwnershipPrivilege 2072 msiexec.exe Token: SeLoadDriverPrivilege 2072 msiexec.exe Token: SeSystemProfilePrivilege 2072 msiexec.exe Token: SeSystemtimePrivilege 2072 msiexec.exe Token: SeProfSingleProcessPrivilege 2072 msiexec.exe Token: SeIncBasePriorityPrivilege 2072 msiexec.exe Token: SeCreatePagefilePrivilege 2072 msiexec.exe Token: SeCreatePermanentPrivilege 2072 msiexec.exe Token: SeBackupPrivilege 2072 msiexec.exe Token: SeRestorePrivilege 2072 msiexec.exe Token: SeShutdownPrivilege 2072 msiexec.exe Token: SeDebugPrivilege 2072 msiexec.exe Token: SeAuditPrivilege 2072 msiexec.exe Token: SeSystemEnvironmentPrivilege 2072 msiexec.exe Token: SeChangeNotifyPrivilege 2072 msiexec.exe Token: SeRemoteShutdownPrivilege 2072 msiexec.exe Token: SeUndockPrivilege 2072 msiexec.exe Token: SeSyncAgentPrivilege 2072 msiexec.exe Token: SeEnableDelegationPrivilege 2072 msiexec.exe Token: SeManageVolumePrivilege 2072 msiexec.exe Token: SeImpersonatePrivilege 2072 msiexec.exe Token: SeCreateGlobalPrivilege 2072 msiexec.exe Token: SeCreateTokenPrivilege 2072 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2072 msiexec.exe Token: SeLockMemoryPrivilege 2072 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2072 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3216 wrote to memory of 5100 3216 msiexec.exe 89 PID 3216 wrote to memory of 5100 3216 msiexec.exe 89 PID 3216 wrote to memory of 5100 3216 msiexec.exe 89
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\daa3f3ff735da217e65b4b372abea33a2c11796a4432b67852957fd9dfdb35ad.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2072
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4FBE310B588DD553803DED0E09687CC8 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5100
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
571KB
MD574e478e182e05b8e0e721e1b6a61f876
SHA1afe914643ac1763c1fc7fa6b8fd75577c6dc3f58
SHA25629d8078ec5fbd57c156008bfcceceb277805d375c80a3a5e8355bd4484e3632d
SHA51273fbc3c58b5fa03504b7080540198b3d3f6dbfdb49b73848b2d599bbc821b763a118649f2ac7216fefcc98dad4dc4fc77b9a7ff3d862ea4b7536bf03377fba7f